The protected health information of 925 patients was compromised because of a ransomware attack on Coastal Cape Fear Eye Associates. The breach was discovered on December 5, 2017 which prompted the immediate action of Coastal Cape Fear Eye Associates to bring in IT professionals to deal with the attack and remove the ransomware. The IT consultants were successful in removing the malware and restricting harmful effects. But certain files were locked and inaccessible for a while.

The healthcare provider uploaded a substitute breach notice on its website on February 1, 2018. They were delayed in sending notifications to patients due to the inability to access certain files, which are necessary to know which patients and what PHI were affected. It was possible to access the encrypted files only recently.

According to the HIPAA Rules, it is required that healthcare organizations report ransomware attacks. The only exception not to do so is when there is low probability of PHI exposure. Ransomware usually encrypts file and has nothing to do with file access. Nevertheless, the Department of Health and Human Services’ Office for Civil Rights has given guidelines that in most cases, ransomware attacks must be reported and patients should be sent notification.